Parallelizable Encryption Mo de with Almost Free Message Integrity Charanjit S. Jutla IBM T.J. Watson Research Center, Yorktown Heights, NY 10598 In this do cument we prop ose a new mo de of op eration for symmetric key blo ck cipher algorithms. The main feature distinguishing the prop osed mo de from existing mo des is that along with providing con dentiality of the message, it also provides message integrity. In other words, the new mo de is not just a mo de of op eration for encryption, but a mo de of op eration for authenticated encryption. As the title of the do cument suggests, the new mo de achieves the additional prop erty with little extra overhead, as will b e explained b elow. The new mo de is also highly parallelizable. In fact, it has critical path of only two blo ck cipher invo cations. By one estimate, a hardware implementation of this 12 mo de on a single b oard housing 1000 blo ck cipher units achieves terabits/sec 10 bits/sec of authenticated encryption. Moreover, there is no p enalty for doing a serial implementation of this mo de. The new mo de also comes with pro ofs of security, assuming that the underlying blo ck ciphers are secure. For con dentiality, the mo de achieves the same provable security b ound as CBC. For authentication, the mo de achieves the same provable security b ound as CBC-MAC. The new parallelizable mo de removes chaining from the well known CBC mo de, and instead do es an input whitening as well an output whitening with a pair- wise indep endent sequence. Thus, it b ecomes similar to the ECB mo de. However, with the input whitening with the pairwise indep endent sequence the new mo de has provable security similar to CBC Note: ECB do es not have security guaran- tees like CBC. Also, the output whitening with the pairwise indep endent sequence guarantees message integrity. The pairwise indep endent sequence can be generated with little overhead. In fact, the input and output whitening sequence need only b e pairwise di erentially uniform, whichisaweaker prop erty than pairwise indep endence, as explained in the details b elow. The weaker pairwise di erentially uniform sequence can b e generated 1 with even lesser overhead. The parallelizable mo de comes in two avors. These avors refer to how the pairwise di erentially uniform sequence is generated. In one mo de, we just use a pairwise indep endent sequence generated by a subset construction. In another mo de, the pairwise di erentially uniform sequence is generated by a i mo dulo a xed prime numb er. There will b e one standard prime number for each bit-size 64 blo ck cipher. Thus, for 64 bit blo ck ciphers the prime could b e 2 257. For 128 128 bit blo ck ciphers, the prime could b e 2 159. The mo des are describ ed b elow in more detail. For pro ofs of security see pro ceed- ings of Euro crypt 2001 also http://eprint.iacr.org/2000/039.ps. We rst give de nitions of pairwise indep endence and related concepts. Then we describ e the parallelizable mo de using the algebraic construction a i mo dulo a xed prime. Finally,we describ e the mo de using only exclusive-or op erations. 1. De nitions De nition 1 pair-wise indep endence A sequence of uniformly distributed n-bit random numb ers s ;s ; :::; s , is called pair-wise independent if for every pair i; j; i 6= 1 2 m j , and every pair of n bit constants c and c , probability that s = c and s = c 1 2 i 1 j 2 2n is 2 . De nition 2 pair-wise di erentially-uniform A sequence of uniformly distributed n-bit random numb ers s ;s ; :::; s , is called pair-wise di erential ly-uniform if for 1 2 m n every pair i; j; i 6= j , and every n bit constant c, probability that s s is c is 2 . i j It is a fact that a pair-wise indep endent uniformly distributed sequence is also pair-wise di erentially uniform. De nition 3 pair-wise di erentially-uniform in GFp A sequence of random num- b ers s ;s ; :::; s uniformly distributed in GFp, is called pair-wise di erential ly- 1 2 m uniform in GFp if for every pair i; j; i 6= j , and every constant c in GFp, probability that s s modpisc is 1=p. i j A sequence of m pair-wise indep endentnumb ers can b e generated from ab out log m indep endent random numb ers by a subset construction. The subset construction only involves exclusive-or op erations. A pair-wise indep endent sequence can also b e generated by an algebraic construc- tion in GFp, by using two indep endent random numb ers a and b in GFp. The sequence is given by s =a + i bmodp. i 2 A pair-wise di erentially uniform in GFp sequence can be generated from only a single random number a in GFp by de ning s =i amodp. i These de nitions have b een given here only to explain the general principles. In the following description of the new mo de, the sequence used is a subtle variation of de nition 3. For pro ofs of security, see the aforementioned references. 2. Integrity Aware Parallelizable Mo de IAPM using a prime number Let n b e the blo ck size of the underlying blo ck cipher. We will restrict our attention to n = 128 in this pap er. If the blo ck cipher requires keys of length k , then this mo de requires two indep endentkeys of length k . Let these keys be called K 0 and K 1. From now on, we will use f to denote the encryption function under key K . K The message to b e encrypted P , is divided into blo cks of length n each. Let these blo cks be P ;P ; :::; P . As in CBC, a random initial vector r of length n bits 1 2 m1 is chosen. The vector r need not be chosen randomly, as long as it is unique for each message. This random vector is used to generate a new random vector a using the blo ck cipher and key K0, which in turn is used to prepare m +1 new pairwise di erentially uniform vectors S ;S ; :::; S . 0 1 m 128 Let p = 2 159. The number p is known to be a prime. This prime will be xed for all invo cations of this mo de using blo ck ciphers of blo ck size 128 bit. For 64 64-bit ciphers p =2 257 is recommended. Now, the sequence S ;S ; :::S is generated by the following pro cedure: 0 1 m procedure pairwise di uniform sequencein r;m;K0; out S f a = f r K 0 128 128 if a 2 159 a =a + 159 mo d 2 S = a 0 for i =1 to m do 128 S =S + amod2 i i1 if a>S S = S + 159 i i i end for g The condition a > S is equivalent to 128-bit integer addition over ow in the i 128 previous step. Note that we do not reduce mo dulo p if S + a < 2 , but we i1 128 do comp ensate by 159 if S + a 2 , as in the latter case, S + a mo d p i1 i1 128 128 = S + a 2 159 = S + a 2 + 159. i1 i1 3 P r r P1 2 Pm−1 checksum S S S S 1 2 m−1 m M M M 1 2 m f f f ..... K0 f f K1 K1 K1 K1 N N N m a 1 2 S S S S 1 2 m−1 0 mod p constr. C C C Cm 0 1 C2 m−1 S S ....... S 0 1 m Figure 1: IntegrityAware Parallelizable Mo de IAPM In this mo de, the input and output whitening is done by 128-bit integer addition. The ciphertext message C =<C ;C ; :::; C > is generated as follows see g 1: 0 1 m C = r 0 for i =1 to m 1do 128 M =P + S mod2 i i i N = f M i K 1 i 128 C =N + S mod2 i i i end for checksum = P P ::: P 1 2 m1 128 M =checksum + S mod2 m m N = f M m K 1 m 128 C =N + S mod2 m m 0 128 Note that for computing the checksum we use xor instead of addition mo dulo 2 . 128 The scheme is secure even if the checksum is computed by a mo dulo 2 sum, but for the standard we prefer that the checksum be computed by an xor-sum. Note that S is used in the last step. 0 The ab ovescheme is invertible. The inversion pro cess yields blo cks P ;P ; :::; P . 1 2 m The decrypted plaintext is < P ;P ; :::; P >. Message integrity is veri ed by 1 2 m1 4 checking P = P P ::: P m 1 2 m1 Here is the pseudo-co de for decryption: r = C 0 invoke pairwise di uniform sequencer;m;K0;S; for i =1 to m 1do 128 N =C S mod2 i i i 1 N M = f i i K 1 128 P =M S mod2 i i i end for checksum = P P ::: P 1 2 m1 128 N =C S mod2 m m 0 1 N M = f m m K 1 128 P =M S mod2 m m m Integrity P == checksum m 3.